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CNSS:  Interagency  Partnering  to  Protect  Our 
National  Security  Systems 


The  Honorable  John  G.  Grimes 

Department  of  Defense  Chief  Information  Officer 

The  CNSS  performs  the  vital  function  of  mobilising  the  full,  interagency  National  Security  Community  for  the  protection 
of  telecommunications  and  information  systems  that  support  U.S.  national  security.  This  article  describes  recent  strategic 
accomplishments  of  the  CNSS  and  individual federal  departments  and  agencies  along  with  priorities  for  2008. 


The  United  States  faces  increasing 
threats  in  the  homeland  security,  cyber 
security  and  information  sharing  environ¬ 
ments,  and  the  need  for  increased  cooper¬ 
ation  among  key  members  of  govern¬ 
ment,  industry,  academia,  the  private  sec¬ 
tor,  and  allied  nations  has  never  been 
greater.  CNSS  provides  an  interagency 
forum  for  addressing  IA  policy  issues 
impacting  critical  NSS.  Through  its  mem¬ 
bership  and  partnerships  (a  total  of  21 
members  and  10  observers  from  the  exec¬ 
utive  branch  of  the  U.S.  government)  the 
CNSS  has  a  history  of  addressing  vulner¬ 
abilities  that  have  the  potential  to  impact 
die  national  security  community’s  ability 
to  safeguard  key  systems.  In  2007,  the 
CNSS  made  significant  contributions  to 
federal,  state,  local,  and  coalition  security 
efforts  across  die  following  five  areas: 

I.  Assured  Information 
Sharing  (AIS) 

AIS  is  fundamental  to  die  integrity  of  our 
data  and  systems,  and  is  essential  to  the 
nation’s  well-being  and  defense.  The 
CNSS  is  actively  engaged  in  making  signif¬ 
icant  improvements  across  diese  areas. 
The  UCDMO  -  a  joint  effort  between  the 
DoD  and  the  DNI  -  has  put  out  a  unified 
technology  road  map  to  expedite  die  use 
of  information  sharing  solutions  between 
classification  domains.  The  CNSS  will 
extend  die  UCDMO’s  progress  to  other 
federal  departments  and  agencies  and 
improve  information  sharing  among  gov¬ 
ernment  departments  and  agencies.  One 
of  die  key  tools  that  revolutionized  com¬ 
munications  in  recent  years  has  been  wire¬ 
less  devices  such  as  PDAs  and  Blackberries. 
The  emergence  of  the  Secure  Mobile 
Environment  Portable  Electronic  Device 
-  with  e-mail  and  Web  browsing  capabili¬ 
ties  up  to  the  Secret  level  and  voice  capa¬ 
bilities  up  to  Top  Secret  -  is  taking  wire¬ 
less  to  the  next  level.  It  will  provide  the 
homeland  and  national  security  communi¬ 
ties  widi  secure  communications  whenev¬ 
er  and  wherever  they  are  needed.  Anodier 
area  the  CNSS  has  emphasized  is  die  use 


of  data  at  rest  encryption  to  protect  sensi¬ 
tive  unclassified  data  stored  on  removable 
media  and  mobile  computing  devices  like 
laptops.  Communication  and  information 
exchange  between  the  U.S.  and  our  allies 
in  the  global  war  on  terror  has  been  an 
area  where  the  CNSS  has  been  actively 
engaged.  In  2007,  the  CNSS  approved 
more  than  60  transfers  of  critical  products 
to  improve  information  sharing.  For  2008, 
CNSS  priorities  for  AIS  will  highlight  the 
need  for  developing  and  deploying  more 

Access  control  based 
on  standard  user 
characteristics  (like 
the  user  s  organization 
or  role)  increases 
both  speed  and 
security  when  it 
comes  to  information 
sharing. 

tools,  technologies,  and  products  that  will 
ensure  die  national  security  community 
has  secure,  reliable  access  to  information 
whenever  and  wherever  it  is  needed. 

2.  Managing  Risk 

Assessing  and  managing  risk  is  essential  to 
safeguarding  NSS,  and  we  have  a  solid 
strategy  to  counter  die  threats  posed  by 
those  who  attempt  to  exploit  vulnerabili¬ 
ties  in  the  hardware  and  software  we  rely 
on.  The  CNSS  is  championing  a  common 
risk  assessment  mediodology  and  a  com¬ 
mon  C&A  process  across  die  govern¬ 
ment.  These  changes  will  help  identify 
vulnerabilities,  determine  acceptable  risk 
levels,  and  increase  trust  among  system 
owners.  The  use  of  common  approaches 
will  improve  capabilities,  reduce  costs,  and 


increase  interoperability.  For  die  coming 
year  our  priorities  for  managing  risk 
include  establishing  common  approaches 
for  C&A,  risk  assessment,  and  managing 
supply  chain  risk. 

3.  Identity  Assurance 

The  majority  of  successful  network  pene¬ 
trations  today  are  due  to  failures  in  identi¬ 
ty  assurance  where  a  compromised  pass¬ 
word  and  user  ID  have  been  used  to  gain 
unauthorized  access.  Establishing  strong 
identification  and  authentication  tech¬ 
niques  for  people  and  devices  are  central 
to  any  security  effort,  and  that  makes 
assurance  critical.  Access  control  based  on 
standard  user  characteristics  (such  as  the 
user’s  organization  or  role)  increases  both 
speed  and  security  when  it  comes  to  infor¬ 
mation  sharing.  Members  of  the  CNSS 
are  working  to  promote  the  use  of  identi¬ 
ty  assurance  technologies  such  as  smart 
cards,  tokens,  biometrics,  and  public  key 
technologies.  Identity  assurance  priorities 
include  expanding  the  public  key  infra¬ 
structure  to  additional  communities  of 
interest  and  leveraging  other  promising 
technologies  such  as  biometrics. 

4.  Network  Resilience  for 
Mission  Assurance 

The  global  information  infrastructure 
supporting  the  President,  our  military 
commanders,  and  homeland  security  lead¬ 
ers  must  be  reliable  and  resilient  even  in 
the  face  of  attacks.  National  security  rests 
on  having  tire  confidence  drat  these  criti¬ 
cal  functions  will  be  accessible  during  dis¬ 
rupted  and  distressed  conditions.  By 
working  with  private  sector  and  allied 
partners,  we  ensure  critical  capabilities  and 
missions  remain  operational. 

CNSS  Policy  No.  12,  issued  in  March 
2007,  emphasized  integrating  IA  into  the 
life-cycle  of  space  systems  drat  collect, 
generate,  process,  store,  display,  or  trans¬ 
mit  national  security  information.  This 
was  a  huge  step  forward  and  had  a  dra¬ 
matic  impact  on  the  commercial  satellite 
assets  so  critical  to  keeping  our  networks 
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Information  Assurance 


August  4-7 

2“*  IEEE  International  Conference  on 
Semantic  Computing 
Santa  Clara,  CA 

http://icsc.eecs.uci.edu/index.html 

August  11-15 

Integrated  Systems  Health  Management 
Conference 
Covington,  KY 

www.usasymposium.com/ishm/ 

default.htm 

August  18-20 

The  10h  IAS  TED  International 
Conference  on  Signal  and  Image  Processing 
Kailua-Kona,  HI 

www.iasted.org/conferences/ 

home-623.html 

August  18-21 

Guidance,  Navigation  and  Control 
Conference 

Honolulu,  HI 
www.aiaa.org 

August  25-28 

COMSEC  Managers  Conference 
Boston,  MA 

www.nsa.gov 

August  25-28 

Implementation  Fest  2008 
Lake  Buena  Vista,  FL 

www.adlnet.gov 

September  15-18 

4,h  World  Congress  for  Software  Quality 
Bethesda,  MD 

www.asq.org/conferences/wcsq 


kJystems  &  Software 
Technology  Conference 

2009  Systems  and  Software 
Technology  Conference 
Salt  Lake  City,  UT 

www.sstc-online.org 


resilient.  Additional  priorities  for  2008 
include  national-level  exercises  to  enhance 
responses  to  serious  cyber-degradation  by 
critical  infrastructure  owners/ operators, 
accelerating  next-generation  security  man¬ 
agement  infrastructure  development, 
security  capabilities  supporting  global 
information  sharing,  and  increasing  the 
focus  on  continuity  of  operations  and 
reconstitution. 

5.  Building  and  Sustaining  the 
lAWork  Force 

People  are  the  most  critical  element  in 
securing  national  security  systems.  They 
operate  the  technology,  implement  the 
procedures,  execute  the  policies,  and  make 
die  decisions  that  impact  everything  the 
CNSS  touches.  The  IA  professionals  who 
build,  maintain,  and  defend  our  critical 
networks  deserve  the  best  education  and 
training  possible,  and  the  CNSS  has  estab¬ 
lished  strict  standards  for  national  IA 
training  and  education  to  support  them. 
These  standards  have  been  incorporated 
into  the  training  curriculum  at  more  than 
160  institutions  in  government,  academia, 
and  the  private  sector.  In  2007,  more  than 
80  centers  of  academic  excellence  across 
34  states  and  the  District  of  Columbia 
provided  college  students  with  high-level 
IA  education,  along  with  the  opportunity 
to  earn  federal  scholarships.  Many  schol¬ 
arship  students  are  now  working  for  the 
federal  government  where  their  IA  exper¬ 
tise  is  contributing  to  the  security  of  our 
national  information  infrastructure.  CNSS 
priorities  for  2008  include  improving  IA 
education  nationwide  and  working  more 
closely  with  private  sector  training  and 
certification  vendors  to  infuse  standards 
into  their  certification  programs. 

As  the  CNSS  Chair,  I  am  proud  to  say 
it  continues  to  be  an  invaluable  intera¬ 
gency  forum  for  engaging  the  national 
security  community  on  long-term,  inte¬ 
grated  solutions  so  vital  to  protecting  the 
global  information  infrastructure.  CNSS 
priorities  for  2008  support  die  President’s 
national  cyber-security  initiative,  and  focus 
on  increasing  the  level  of  trust  in  NSSs, 
protecting  diem  from  our  adversaries  and 
making  certain  that  mission-essential 
functions  can  be  performed  in  an  increas- 
ingly  hostile  cyber-environment.  The 
complex  challenges  and  emerging  issues 
brought  to  die  forefront  by  this  invaluable 
group  not  only  delivered  benefits  for 
national  security,  they  also  created  a  ripple 
effect  that  touches  countless  other  func¬ 
tional  areas  and  communities. ♦ 
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Acronym  Key  for  This  Issue 

AIS 

Assured  Information  Sharing 

C&A 

Certification  and  Accreditation 

CIO 

Chief  Information  Officer 

CNSS 

Committee  on  National  Security  Systems 

DASD(IIA) 

Deputy  Assistant  Secretary  of  Defense  for 
Information  and  Identity  Assurance 

DIACAP 

DoD  Information  Assurance  Certification  and 

Accreditation  Process 

DIAP 

Defense  Information  Assurance  Program 

DISA 

Defense  Information  Systems  Agency 

DNI 

Director  of  National  Intelligence 

DoD 

Department  of  Defense 

GIAP 

GIG  IA  Portfolio  (Management) 

GIG 

Global  Information  Grid 

IA 

Information  Assurance 

1C 

Intelligence  Community 

INFOSEC 

Information  Security 

IT 

Information  Technology 

Nil 

Networks  and  Information  Integration 

NSA 

National  Security  Agency 

NSS 

National  Security  Strategy 

R&D 

Research  and  Development 

SME 

Subject  Matter  Expert 

UCDMO 

Unified  Cross  Domain  Management  Office 

USG 

United  States  Government 

